Merge pull request #574 from hmcts/PAY-6328

PAY-6328: Fix CVE-2022-1471
hmcts · May 3, 2024 · 056d190 · 056d190
2 parents 8423793 + 9857ee4
commit 056d190
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 32 deletions.
diff --git a/api/build.gradle b/api/build.gradle
@@ -83,7 +83,7 @@ dependencies {
         exclude(module: 'commons-logging')
         exclude(module: 'slf4j-simple')
     }
-    implementation group: 'org.liquibase', name: 'liquibase-core', version: '4.23.1'
+    implementation group: 'org.liquibase', name: 'liquibase-core'
     implementation group: 'com.github.hmcts.java-logging', name: 'logging-appinsights', version: javaLoggingVersion
     implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version:'5.0'
     implementation group: 'org.springframework.boot', name: 'spring-boot-devtools'

diff --git a/cve-resolution-strategy.gradle b/cve-resolution-strategy.gradle
@@ -63,9 +63,13 @@ configurations.all {
                 det.useVersion '42.7.3'
             }
 
+            if (det.requested.name == 'liquibase-core') {
+                det.useVersion '4.27.0'
+            }
+
              /* CVE-2017-18640, CVE-2022-41854 */
             if(det.requested.name == 'snakeyaml'){
-                det.useVersion '1.32'
+                det.useVersion '2.2'
             }
 
             /*

diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
@@ -41,11 +41,6 @@
         <cve>CVE-2020-23171</cve>
     </suppress>
 
-    <suppress>
-        <notes>Major liquibase update to version 4.8.0+ needed, this will require code refactoring</notes>
-        <cve>CVE-2022-0839</cve>
-    </suppress>
-
     <suppress>
         <notes>jackson-databind issue, upgrading to new version broke functional tests.</notes>
         <cve>CVE-2020-36518</cve>
@@ -136,26 +131,6 @@
         <cve>CVE-2020-0187</cve>
     </suppress>
 
-    <suppress>
-        <notes>
-            The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing
-            to nested depth limitation for collections.
-        </notes>
-        <cve>CVE-2022-25857</cve>
-        <cve>CVE-2022-38749</cve>
-        <cve>CVE-2022-38750</cve>
-        <cve>CVE-2022-38751</cve>
-    </suppress>
-
-    <suppress>
-        <notes>
-            Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the
-            parser is running on user supplied input, an attacker may supply content that causes the parser to crash by
-            stack-overflow.
-        </notes>
-        <cve>CVE-2022-38752</cve>
-    </suppress>
-
     <suppress>
         <notes>
             In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection
@@ -258,11 +233,6 @@
         <notes>commons-fileupload</notes>
         <cve>CVE-2023-24998</cve>
     </suppress>
-    <suppress>
-        <notes>SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
-        </notes>
-        <cve>CVE-2022-1471</cve>
-    </suppress>
     <suppress>
         <notes>Tomcat-embed-core and websocket suppressed to fix appinsights issue
         </notes>